False Positive JS:ScriptIP-inf and URL:Mal

[masterbo]

at this time you said maxmind is whitelisted but your avast continue to block
<script referring to page which we block whitelisted.

Please check your avast does not CONTINUE to block script referring to page which we block whitelisted.
I understand that it's more simple for you to enable a single site (for example my) and do not do the error corection in the avast software code and the error int the avast virus database.
But the error is, please correct it.

1) Sites refered via <scrip to maxind
2) avast block it
3) avast whitelisted maxmind
4) avast continue to block the sites refered via <script to maxind IN THE PAST before maxmind was whitelisted


And think that you are doing illegal thing to block access to sites wich have no bad codes and only refered to site you think bad.
Block these bad sites access, block downloading js from bad sites, but it's very wrong to block sites without bad code, only for reference to bad site.
How do you plan to explain in the USA court why you block sites without bad codes?

[DavidR]

Look we can't help you if you don't help us, I have visited the maxmind.com site and there is no alert by avast on the home page. To be able to investigate it we need the URL that was in the avast alert, either post a screenshot of the alert window, or check the AvastUI, Real-Time Shields, Web Shield, Shield log or the last infected page.

Without this information we can investigate nothing.

[polonus]

Hi masterbo,

This could have been cause by a simple link to an external image and there might be a problem a hacker (files could have been changed  could have done more to that site, (webstat hack) and a rootkit can be silently running there)
in case of shared hosting ask the hoster to check.
Without the URL of that site, we can only speculate as to what is being flagged, and your posting here has no sense,

polonus

[OrangeCrate]

^,

Welcome back Polonus!

Hope you'll stick around, I (we) missed your participation here on the forums.

 

Edit:

I just checked your recent posts. I see you've been back for a while. I guess I should check in here more often. Anyway, welcome back.

[Libertexto]

Hello,
I have the same problem with my web: hxxp:www.libertexto .org
I would apreciate your help.
Thanks in advance.

[DavidR]

When did you have this problem ?

If yesterday, ensure you have the latest version of the virus definitions currently 110412-1.

[Libertexto]

I have been reported the problem today (I don´t have it because I don´t use an antivirus), but I´ll check if the problem was yesterday and it continues today.
Thanks for your answer.

[DavidR]

No problem, glad I could help.

Welcome to the forums.

[polonus]

Hi Masterbo,

There sure is something fishy with this domain (W32:Malware.gen launching site),
new malware is being launched from maxmind dot com from time to time and in the recent past,
malware now dead once launched from there came from:
htxp://www.maxmind.com/app/locate_my_ip
This has been found there: http://www.malware-control.com/statics-pages/74657b51a5d999c8438a02d922f2da59.php
htxp://www.maxmind.com/download/geoip/database/GeoIP.dat.gz  unknown suspicious executable
htxp://www.maxmind.com:8010/a?l=PeAyF1sgrZYw&amp;i=  
Was not detected by virustotal: http://www.virustotal.com/file-scan/report.html?id=fc749a44906d1f5230389b8bd8340e9f07dd5acb3772d934dcb194bd59236c40-1256984042

htxp://j.maxmind.com/app/geoip.js
also was not detected: http://www.virustotal.com/file-scan/report.html?
id=23a1749ed06eab0128f6ce8e22fafc3bb27d777fdd8b2dbf011ae1b3c48a4770-1256865607
But the malware pointing to Pornsites was described here:
http://malwaresurvival.net/2011/02/15/speedboing-com-porn-site-points-to-malware/  (author and source:
http://malwaresurvival.net/author/admin2008/ malware survival - malware then detected: February 15, 2011)

If avast detects something there, this domain is certainly not beyond suspicion. Proven that malcreants used this domain before,
and have gone under the av radar for some time...

polonus

[Libertexto]

When did you have this problem ?

If yesterday, ensure you have the latest version of the virus definitions currently 110412-1.

You were right. The problem disappear after updating avast. Thank you for your answer.

[DavidR]

No problem, glad I could help.

Welcome to the forums.

[OlegAnat]

If you'd tell us the url of your page, we'd be able to do something. 

I have a same problem. Website www.arbalest.ru
Neither antivirus does not define it as infected. Only avast

[Pondus]

@OlegAnat

Suspicious here   http://zulu.zscaler.com/submission/show/8dd6536c65f1c6daf27df3214decc62f-1392210791

and here   http://quttera.com/detailed_report/www.arbalest.ru

[polonus]

This is a so-called "Multiple IPs"-site.
Bot or Trojan IPs                   # of Connections   First Identified   Last Seen           Threat                  Danger Level
                     90.156.201.36   15                           3 years ago     5 days ago          RUSSIA                     1

                                                                                 3 years ago     5 days ago          Eastern Europe        1

                                                                                 3 years ago     5 days ago          Modified ITAR            1

                                                                                  3 years ago     5 days ago          Russia                       1
Historical
                                                                                 10 months ago 4 months ago          AlienVault                  4

                                                                                 10 months ago 10 months ago   IID-bot                      5

                                                                                 10 months ago 10 months ago   BOTNETS                   5
See: http://support.clean-mx.de/clean-mx/viruses.php?ip=90.156.201.36&sort=lastseen%20asc
See: http://jsunpack.jeek.org/?report=bdaa01d0df3b5e4f723831778c5f8b6bd6e51fda

See for IP Recent reports on same IP/ASN/Domain -> http://urlquery.net/report.php?id=9413439

Blocked is this external link: htxp://d3.c3.b0.a1.top.list.ru/counter?id=1061635;t=134;js=13;r=undefined;j=true;s=1176*885;d=24;rand=0.19010185478453023

2 suspicious files on site flagged by Quttera's http://quttera.com/detailed_report/www.arbalest.ru -> http://jsunpack.jeek.org/?report=5da6b5a5d3af5651d485aea625fa11809e5a92c9  & http://jsunpack.jeek.org/?report=5b26d00cde20b158fbe29a5f61261e8e566e1135
(redirecting trojan code?)

No longer blocked here: http://www.arbalest.ru/index.php?show_aux_page=117
nor here: http://arbalest.ru/index.php?show_aux_page=66

polonus